Allow an application only for Teams via Cloudflare Access without Web Authentication (By Using Warp Client and CF Teams)

Zero Trust Access
1

My application is hosted on service.example.com
This is an API which is used for a desktop application on a user’s computer.

Using Cloudflare access, I could have protected if this is a web app.
But I want to allow the members from Cloudflare Teams only to access this application. They should be able to access this service if they are connected to Cloudflare Teams VPN, everyone else should not have access to this service.

Since Cloudflare is handling my DNS and Teams VPN service, I believe this is possible but cannot figure out how!

How do achieve this?

2

image
image856×435 12.7 KB

3

There is no “Gateway” option in my drop-down.
How to get this option in my drop-down?

I have following options in my dropdown:
Country, Email, Emails ending in, IP Ranges, Everyone, Common name, Valid Certificate, Service token, Any Access Service Token & Login Methods

4

Sorry, missed one part. You need to add a device posture attribute here first:

image
image1099×643 18.8 KB

1 Like
5

There is still no difference after adding Gateway (and WARP as well as there was no difference for me after just adding Gateway)

Expected outcome

  1. No Cloudflare login screen should come up when user connected to Cloudflare Teams VPN
  2. Not allowed to access the page without connecting to Cloudflare Teams VPN

Current Outcome:

  1. It’s still asking for Web Login when I am connected to Teams VPN.
    Since the desktop application uses direct calls to the server, this Web Login is causing issue over here.

This is my current rule definition

Screenshot 2021-08-16 at 9.38.38 AM
Screenshot 2021-08-16 at 9.38.38 AM937×436 61.3 KB

6

Not yet available

7

I guess I should update my answer… it is actually available now. It does however require that Proxy is enabled in Settings | Network (first option). That being said… @w3dev I’d remove Warp from the policy above and just have Gateway … the former being anyone with the Warp Client, the latter being Anyone running the Warp client signed into your team.

3 Likes
8

Is it? I have Proxy enabled (and TLS Decryption). I have Device Posture Gateway in the list and have added Gateway to a rule - tried both as Group and as Additional Rule.

In both cases I still received the login page for my Cloudflare Access.

9

Great! Was really waiting for this one a long time! I suppose we need to add this as a “Bypass”-rule?

10

It is working - added a Service Auth rule. Connected via WARP and no login page required. Disconnected from WARP and login page shown again.

Thanks!

1 Like
11

Thanks, it works after setting the rule mode to “Service Auth”
However, it seems like we cannot filter by Email in case of Service Auth

@cs-cf Since we setup Cloudflare teams by our Cloudflare Teams email address, is there any way that we can add an Email filter while using Service Auth?

12

Not today, perhaps in the future.

1 Like
13

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.